我如何prevent重放攻击? [英] How do I prevent replay attacks?
问题描述
这是关系到<一个href=\"http://stackoverflow.com/questions/43324/can-i-put-an-aspnet-session-id-in-a-hidden-form-field\"相对=nofollow>另一个问题,我问。总之,我在那里,当窗体发布到它的URL的一种特殊情况,我可以不依赖于cookie进行认证或保持用户的会话,但我不知要知道他们是谁,我需要要知道他们登录!
This is related to another question I asked. In summary, I have a special case of a URL where, when a form is POSTed to it, I can't rely on cookies for authentication or to maintain the user's session, but I somehow need to know who they are, and I need to know they're logged in!
我想,我想出了一个解决我的问题,但它需要充实。下面是我在想什么。我创建一个名为username的一个隐藏的表单字段和地点在它的用户的用户名,加密。然后,当表单的帖子,即使我不从浏览器收到任何饼干,我知道他们登录,因为我可以解密隐藏的表单字段并获得用户名。
I think I came up with a solution to my problem, but it needs fleshing out. Here's what I'm thinking. I create a hidden form field called "username", and place within it the user's username, encrypted. Then, when the form POSTs, even though I don't receive any cookies from the browser, I know they're logged in because I can decrypt the hidden form field and get the username.
主要的安全漏洞,我可以看到的是重放攻击。我怎么美元,获得该阿霍德加密的字符串,并张贴作为该用户的对$ pvent人吗?我知道我可以使用SSL来使其难以窃取的字符串,也许我可以旋转定期加密密钥限制的时间字符串是良好的数额,但我真的很想找到一个防弹解。任何人有什么想法?是否ASP.Net ViewState的prevent重播?如果是这样,他们怎么办呢?
The major security flaw I can see is replay attacks. How do I prevent someone from getting ahold of that encrypted string, and POSTing as that user? I know I can use SSL to make it harder to steal that string, and maybe I can rotate the encryption key on a regular basis to limit the amount of time that the string is good for, but I'd really like to find a bulletproof solution. Anybody have any ideas? Does the ASP.Net ViewState prevent replay? If so, how do they do it?
修改:我希望的,不需要存储在数据库中的任何一个解决方案。应用程序状态会好起来的,但它不会生存的重新启动IIS或Web农场或花园的场景,在所有工作。我接受克里斯的回答,现在,因为我不相信它甚至有可能没有数据库,以确保这一点。但是,如果有人想出了一个不涉及到数据库的一个答案,我会接受!
Edit: I'm hoping for a solution that doesn't require anything stored in a database. Application state would be okay, except that it won't survive an IIS restart or work at all in a web farm or garden scenario. I'm accepting Chris's answer, for now, because I'm not convinced it's even possible to secure this without a database. But if someone comes up with an answer that does not involve the database, I'll accept it!
推荐答案
如果您哈希与用户名和密码的时间戳,您可以在几秒钟内关闭的重放攻击窗口。我不知道这是否符合你的需求,但它至少是部分解决方案。
If you hash in a time-stamp along with the user name and password, you can close the window for replay attacks to within a couple of seconds. I don't know if this meets your needs, but it is at least a partial solution.
这篇关于我如何prevent重放攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
